This environment may only be started from the Cloud Sandbox
Putting the Pieces Together
Now that your cluster is connected to your production network and has passed the initial scrutiny of your security team, it’s time to further improve your application’s security and open it up to external traffic.
Challenge
Some security concerns were addressed in the previous challenge, but it’s important to continue to keep security in mind for this challenge (and in the real world!).
Security
To improve secret management, you have additional security requirements mandated by your CTO:
- Secrets should be secured in an external vault, not on the cluster. This approach prevents values from being accessed directly by any person without permissions or access to the vault itself.
- Access to the external key vault should not require a secret stored in the cluster.
Ingress
Although you have multiple services deployed to the cluster, you will want a single endpoint for your customers to reach. To do this, create an ingress controller and configure the ingress rules to route to the appropriate services. The References section contains more information on the paths for the different components.
In order to validate that your application is working as expected, you will need to submit a single endpoint (http://endpoint.you.provide) to a provided simulator. The simulator will start sending traffic to the APIs once you provide your endpoint. It expects to make calls to the APIs by name (http://endpoint.you.provide/api/trips for example). You can see data start to flow through your app via the Trip Viewer application. The simulator is deployed as a container instance in your subscription and you will find the URL for the simulator in the Messages tab of your OpenHack portal.
Desired Architecture
Success Criteria
- Your team secured your Azure SQL Server connection information such that literal values cannot be inappropriately accessed
- Your team used an external key vault to store and access secrets inside your cluster, and ensured that access does not require a secret stored in the cluster
- Your team ensured that all links on the Trip Viewer site are reachable
- Your team ensured the simulator can successfully update the values in the application across all services
References
API paths reference
API configuration reference
Azure Kubernetes Service (AKS)
- Secret Store CSI driver
- Ingress Controllers
- Create an NGINX ingress controller in AKS
- HTTP Application Routing Ingress Controller
Kubernetes
Azure
OpenHack
Hello and welcome to OpenHack, a challenge oriented hack event from Microsoft. You will be presented with a series of challenges, each one more difficult than the one before.
You should already be assigned to and seated with a team, with whom you will attempt to solve as many challenges as you can within today’s hack time.
You have been assigned a coach who will be your first point of contact, and is here to support you and answer questions during the hack. They will not, however, solve the challenges for you.
You may notice a resource group called teamResources in your Azure subscription. This resource group contains any pre-provisioned resources referenced in the challenges.
The Premise
You work for Humongous Insurance. One of their products provides customers the opportunity to qualify for lower car insurance rates. Customers can do this by opting in to use Humongous Insurance’s TripInsights app, which collects data about their driving habits. Your team has been assigned to modernize the application and move it to the cloud.
The TripInsights application, once a monolith, has been refactored into a number of microservices:
- Trip Viewer WebApp (
.NET Core): Your customers use this web application to review their driving scores and trips. The trips are being simulated against the APIs within the OpenHack environment. - Trip API (
Go): The mobile application sends the vehicle’s on-board diagnostics (OBD) trip data to this API to be stored. - Points of Interest API (
.NET Core): This API is used to collect the points of the trip when a hard stop or hard acceleration was detected. - User Profile API (
NodeJS): This API is used by the application to read the user’s profile information. - User API (
Java): This API is used by the application to create and modify the users.
The source code of all the microservices is available here.
The Challenges
Each challenge will lead you through a stage of the technical investigation as briefly laid out by your fictional CTO. These investigations become more technically challenging as you progress.
We do not provide guides or instructions to solve the challenges, just a few hints and documentation references that you may find useful. There are multiple ways to solve each challenge, and very likely some we haven’t thought of. We’re interested in seeing your own unique solutions to each problem, and you should absolutely work with your coaches and the OpenHack Team to validate your solution as correct.
One final tip: Read everything very carefully
The OpenHack team have worked hard to ensure each problem is solvable. All the details you should need are within the challenge briefs, which are very carefully written and worded to give you clues toward the solution. Reading them fully is the best way to figure out a solution, as small points can be easily missed. Your coaches will help to fill gaps in your understanding, provided you ask them the right questions.